After several legislative attempts, the Thailand Personal Data Protection Act (PDPA) was finally approved by the Thai National Legislative Assembly in February 2019. Following the passage of the bill, the PDPA was published in the Royal Thai Government Gazette and came into effect on May 28, 2019. Companies now have one year to bring their practices into full compliance by May 27, 2020.
Ultimately, the PDPA will change the data protection landscape in Thailand, as this is the country’s first consolidated law on the subject. Many of the principles and obligations within the PDPA were adapted from the EU’s General Data Protection Regulation (GDPR), indicating Thailand’s hope to receive an adequacy decision from the European Commission. Thailand’s adoption of this law was partly inspired by many GDPR principles and will drastically increase privacy requirements for businesses operating in Thailand. Even though there is not yet an official English translation of the PDPA available, organizations operating in Thailand or handling Thai personal data will need to familiarize themselves with this law quickly, before its compliance date, which is less than a year away.
Overview of the PDPA
Similar to the GDPR, the intention of the PDPA is to protect data owners (i.e., data subjects under the GDPR) in Thailand from the unauthorized or unlawful collection, use, or disclosure and processing of their personal data. The PDPA applies to organizations outside of Thailand that either offer products and services to individuals in Thailand (regardless of whether any payment is required) or monitor the behavior of individuals in Thailand. The law is expected to have a significant effect on online service providers based outside of Thailand that hope to continue to serve the Thai market.
Thailand’s PDPA borrows a number of requirements from the GDPR. First, the law establishes a set of lawful bases organizations must use to process data owners’ information. Like the GDPR, these lawful bases include consent, legal obligation, public interest, and legitimate interest. In addition, individual rights under the PDPA look very similar to those found under the GDPR, covering the right to access, object, erasure, and rectify. And finally, like the GPDR’s data protection authorities (DPAs), the PDPA will establish a Personal Data Protection Committee (PDPC) to enforce the law and publish guidance to help organizations ensure compliance with the PDPA. Let’s take a look at the key requirements and principles found in Thailand’s new law.
The defined terms used in the PDPA largely align with other GDPR-inspired laws, further indicating that Thailand may be seeking an adequacy agreement with the EU.
- Personal Data: Broadly defined as information that is able to directly or indirectly identify an individual, excluding the information of a deceased person and private business data such as contact information, titles, or addresses.
- Data Controller: A person or entity that has the authority to make decisions on the collection, usage, or disclosure of personal data.
- Data Processor: A person or entity that collects, uses, or discloses personal data in accordance with the orders of the data controller.
Sensitive Personal Data
The PDPA provides stringent requirements for the collection and storage of sensitive personal data, which includes personal data pertaining to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Criminal records
- Trade union memberships
- Genetic data
- Biometric data
- Health records
- Sexual orientation or preferences
The collection of sensitive personal data without the express consent of the data owner is prohibited, except in certain circumstances, such as medical emergencies or as required by law.
Data Owner Rights
Data subject rights under the PDPA look similar to those in the GDPR. Under the PDPA, Thai data owners will be entitled to request access to their personal data and be able to submit requests to delete, destroy, or anonymize their personal data.
The PDPA states that clear, express consent must be obtained (whether in writing or through an electronic system) on or before the collection of personal data and the requests should not be misleading or deceptive. Data owners are able to revoke their consent at any time, but revocation cannot affect the previous collection, usage, or disclosure of personal data that had been legally consented. The exemptions from consent requirements are quite broad, covering contractual obligations, public interest, and legitimate reason.
For minors, the PDPA requires parental consent for data owners under the age of 10 (and for minors over the age of 10 in specific circumstances), whereas the GDPR requires parental consent for all children under age 16.
Enforcement and Penalties
Enforcement of the PDPA will fall under the power of a Personal Data Protection Committee (PDPC), established to enforce compliance. The PDPC will generate the guidelines for implementing a data protection framework.
If found noncompliant, organizations can face both civil and criminal penalties. Maximum fines under the PDPA will be substantial (though not as severe as the GDPR), with each offense having the potential to incur administrative fines of up to TBH 5 million ($165,000 USD) and criminal fines of up to TBH 1 million ($33,000 USD). The PDPA also grants the court the authority to award punitive damages of up to twice the amount of actual damages and imprisonment up to one year. In addition, data owners are now able to bring their own class-action lawsuits.
Cross-Border Data Transfers
Under the PDPA, cross-border transfer requirements are only vaguely defined, which increases compliance risks. The PDPA will require one of three conditions for international transfers:
- Transfer to a country that has established strong data protection measures that comply with the guidelines defined by the Personal Data Protection Committee
- A preexisting contract between the data owner and the controller
Data Protection Officer
Similar to the GDPR, data controllers or processors that collect, use, monitor, and disclose a large amount of personal data will need to appoint a data protection officer (DPO) to monitor and verify compliance with the PDPA. The DPO will conduct compliance audits and inspections and will interact with regulators if necessary. The exact scale is to be set by the Personal Data Protection Commission at a later time.
Preparing for Compliance
Given the short grace period for compliance, it is essential that organizations start reviewing their personal data related activities (i.e., customer data, supplier data, employee data, billing and payment documents, etc.) now and take the necessary steps to ensure compliance with all the PDPA policies come May 27, 2020. Several of these steps include:
- Data mapping to understand how your company collects, processes, transmits, and stores data, which includes identifying the legal basis to collect and use personal data
- Reviewing internal policies, agreements, and practices related to personal data
- Implementing data management processes and operating systems
- Updating existing privacy notices and creating relevant legal documents
- Ensuring employees and personnel are fully trained on the relevant requirements of the PDPA
- Conducting a gap assessment to identify the current levels of compliance
- Having processes in place that exercise the rights of individuals relating to their personal data
Due to the similarities between the PDPA and the GDPR, organizations already subject to the GDPR should be well-placed for compliance. However, GDPR compliance will not guarantee compliance with the PDPA. And with significant penalties for noncompliance and less than a year until the deadline, organizations that handle the personal data of data owners of Thailand should not wait to start working on compliance.
(Since there is not yet an official English translation of the PDPA, information is still limited, but we will continue to make updates to this post as more clarifying information is released.)
Thailand is the newest member of the wave of new data protection laws sweeping the globe, but certainly won’t be the last. Managing compliance with this host of regulations, plus impending state laws, is becoming a growing challenge for many organizations. While they require more effort up front, privacy programs based on strong data protection principles and privacy-by-design concepts are becoming a more sustainable option for large organizations, saving time, effort, and budget down the road.
Focal Point helps organizations build custom, adaptable privacy programs that scale with industry trends and organizational change. Learn more here.
Get more privacy insights in your inbox.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.